Innominate MGuard Weak HTTPS and SSH Keys

CVEs (1)

Remediations

• Software Version 7.5.0 or later properly uses existing entropy before generating HTTPS and SSH keys. It also increases the size of the RSA keys from 1,024 bits to 2,048 bits. The software update can be found at Innominate download website.e Innominate recommends changing passwords after new keys are generated.
• Innominate recommends one of the three following mitigation procedures: Use the Rescue Procedure to install the software Version 7.5.0. New keys will be generated as part of this process. Use the update mechanism to update the devices to Version 7.5.0. a. Install the update. Existing keys will be kept. b. After the update, the existing keys must be replaced by using one of the following methods: i. Web User Interface 1) Login as root or admin user. 2) Press the “Generate new 2048 bit keys” button either in the “Web Settings -> Access” or in the “System Settings -> Shell Access” menu. 3) Note the fingerprint output of the newly generated keys. 4) Login via HTTPS and compare the certificate information provided by the browser.
• ii. Console 1) Login via the serial console or SSH as root or admin user. 2) Call the program: $ rsa_renewal update. 3) Note the fingerprint output of the newly generated keys. 4) Login via SSH and compare the fingerprints shown by the SSH. 3. Upload and execute a shell script via SSH as root, provided by Innominate. The script will generate new 2,048 bit keys without requiring an update to software Version 7.5.0. a. The script can be downloaded from Innominate at http://www.innominate.com/en/downloads/software-and-misc. b. Use scp to copy the script onto the mGuard like (but appropriate for the user’s setup): $ scp generate_2048key.sh [email protected]:/root/. c. Login via SSH as root user. d. Execute the script: $ sh /root/generate_2048key.sh. e. Note the fingerprint output of the newly generated keys. f. Login via SSH and compare the fingerprints shown by SSH.\

Affected Vendors

Affected Products (6)